# Data Processing Agreement (DPA) **Version:** 1.2 **Effective Date:** January 20, 2026 **Last Updated:** March 9, 2026 --- ## Introduction This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written or electronic agreement between Simply Asking ("Processor," "we," "us," or "our") and the entity agreeing to these terms ("Controller," "Customer," or "you") for the use of Simply Asking's services. This DPA reflects the parties' agreement with regard to the Processing of Personal Data in accordance with the requirements of Data Protection Laws, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK General Data Protection Regulation, the California Consumer Privacy Act ("CCPA"), and other applicable privacy laws. --- ## 1. Definitions **1.1** "**Applicable Data Protection Law**" means all laws and regulations applicable to the Processing of Personal Data under this DPA, including GDPR, UK GDPR, CCPA, and other applicable privacy laws. **1.2** "**Controller**" means the entity that determines the purposes and means of Processing Personal Data. **1.3** "**Data Subject**" means an identified or identifiable natural person whose Personal Data is Processed. **1.4** "**Personal Data**" means any information relating to an identified or identifiable natural person. **1.5** "**Processing**" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction. **1.6** "**Processor**" means the entity that Processes Personal Data on behalf of the Controller. **1.7** "**Security Incident**" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. **1.8** "**Services**" means the Simply Asking platform and related services provided to Customer. **1.9** "**Sub-processor**" means any third party engaged by the Processor to Process Personal Data on behalf of the Controller. --- ## 2. Scope and Roles ### 2.1 Applicability This DPA applies to the Processing of Personal Data by Processor on behalf of Controller in connection with the Services. ### 2.2 Role of the Parties - **Controller:** The Customer is the Controller of Personal Data uploaded to or processed through the Services. - **Processor:** Simply Asking acts as the Processor of such Personal Data, Processing it only on behalf of and in accordance with the Controller's documented instructions. ### 2.3 Categories of Data Subjects The Personal Data Processed may relate to the following categories of Data Subjects: - Customer's employees and contractors - Customer's end users - Customer's customers and business contacts - Other individuals whose data is uploaded to the Services by Customer ### 2.4 Types of Personal Data The types of Personal Data Processed may include: - Contact information (names, email addresses, phone numbers) - Professional information (job titles, company information) - Content data uploaded to the knowledge base - Usage data and analytics - Account credentials (hashed) ### 2.5 Processing Activities Processing activities include: - Document storage and indexing - AI-powered search and retrieval - Knowledge graph generation - Analytics and reporting - Customer support --- ## 3. Controller Obligations ### 3.1 Compliance Controller shall: (a) Ensure that its collection and provision of Personal Data to Processor complies with all Applicable Data Protection Laws; (b) Have obtained all necessary consents and authorizations for the Processing of Personal Data; (c) Ensure that its instructions to Processor comply with Applicable Data Protection Laws; (d) Be responsible for the accuracy, quality, and legality of Personal Data provided to Processor. ### 3.2 Instructions Controller's instructions to Processor regarding the Processing of Personal Data are set forth in: - This DPA - The Terms of Service - The documentation for the Services - Any written instructions provided through the Services --- ## 4. Processor Obligations ### 4.1 Processing Limitations Processor shall: (a) Process Personal Data only on documented instructions from Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law; (b) Immediately inform Controller if, in Processor's opinion, an instruction infringes Applicable Data Protection Law; (c) Not Process Personal Data for any purpose other than as necessary to provide the Services. ### 4.2 Confidentiality Processor shall: (a) Ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (b) Take reasonable steps to ensure the reliability of personnel who have access to Personal Data. ### 4.3 Security Measures Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against: - Unauthorized or unlawful Processing - Accidental loss, destruction, or damage - Security Incidents Such measures include, but are not limited to: **Technical Measures:** - Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256) - Access controls and authentication mechanisms - Network security and firewalls - Intrusion detection and prevention systems - Regular security testing and vulnerability assessments - Secure coding practices **Organizational Measures:** - Security awareness training for personnel - Access control policies (principle of least privilege) - Incident response procedures - Business continuity and disaster recovery plans - Regular security audits - Vendor security assessments ### 4.4 Sub-processors (a) Controller provides general authorization for Processor to engage Sub-processors, subject to the requirements of this Section. (b) Processor shall maintain a list of current Sub-processors at [/support/subprocessors](/support/subprocessors) and shall notify Controller of any intended changes to Sub-processors by: - Posting updates to the Sub-processor list at least 30 days before the change - Sending email notification to Controller's designated contact (c) Controller may object to any new Sub-processor by providing written notice within 14 days of receiving notification. If Controller objects, the parties shall work in good faith to resolve the objection. (d) Processor shall impose data protection obligations on Sub-processors that are no less protective than those in this DPA. (e) Processor remains liable for the acts and omissions of its Sub-processors. ### 4.5 Data Subject Rights (a) Processor shall promptly notify Controller of any request received directly from a Data Subject to exercise their rights under Applicable Data Protection Law. (b) Processor shall provide reasonable assistance to Controller in fulfilling its obligations to respond to Data Subject requests, including requests for: - Access to Personal Data - Rectification of Personal Data - Erasure of Personal Data ("right to be forgotten") - Restriction of Processing - Data portability - Objection to Processing (c) Controller may use the Services' built-in features to respond to certain Data Subject requests directly. ### 4.6 Data Protection Impact Assessments Processor shall provide reasonable assistance to Controller in conducting data protection impact assessments and prior consultations with supervisory authorities, where required by Applicable Data Protection Law. ### 4.7 Audits (a) Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA. (b) Processor shall allow for and contribute to audits, including inspections, conducted by Controller or an auditor mandated by Controller, subject to: - Reasonable advance notice (at least 30 days) - Confidentiality obligations - Reasonable scope and duration - Controller bearing the costs of the audit (c) Controller may request audit reports, certifications, and other documentation as evidence of compliance. --- ## 5. Security Incidents ### 5.1 Notification Processor shall notify Controller without undue delay (and in any event within 72 hours) after becoming aware of a Security Incident affecting Personal Data. ### 5.2 Notification Contents The notification shall include, to the extent known: - Description of the nature of the Security Incident - Categories and approximate number of Data Subjects affected - Categories and approximate number of Personal Data records affected - Name and contact details of Processor's data protection contact - Description of likely consequences - Description of measures taken or proposed to address the incident ### 5.3 Cooperation Processor shall: - Cooperate with Controller in investigating the Security Incident - Take reasonable steps to mitigate the effects and prevent recurrence - Provide ongoing updates as more information becomes available - Assist Controller in meeting its notification obligations to supervisory authorities and Data Subjects --- ## 6. International Transfers ### 6.1 Transfer Mechanisms For transfers of Personal Data to countries outside the EEA, UK, or Switzerland that do not have an adequacy decision, Processor shall ensure appropriate safeguards are in place, including: (a) **Standard Contractual Clauses (SCCs):** The EU Commission's Standard Contractual Clauses are incorporated into this DPA by reference for EU data transfers. (b) **UK International Data Transfer Addendum:** For UK data transfers, the UK Addendum to the EU SCCs applies. (c) **Swiss Data Transfer Mechanisms:** For Swiss data transfers, appropriate mechanisms under Swiss law apply. ### 6.2 Additional Safeguards Processor implements additional safeguards for international transfers, including: - Data encryption in transit and at rest - Access controls limiting who can access Personal Data - Regular assessment of laws in recipient countries - Commitment to challenge government access requests where legally permitted --- ## 7. Data Retention and Deletion ### 7.1 Retention Processor shall retain Personal Data only for as long as necessary to provide the Services, unless: - Retention is required by applicable law - Controller provides different instructions ### 7.2 Deletion Upon termination of the Services or upon Controller's request: (a) Processor shall delete or return all Personal Data to Controller within 30 days, with complete removal from all systems (including backups) within 60 days, at Controller's election; (b) Processor shall delete existing copies unless retention is required by applicable law; (c) Processor shall provide written certification of deletion upon Controller's request. ### 7.3 Data Export Controller may export Personal Data using the Services' export functionality at any time during the term of the agreement. --- ## 8. Liability and Indemnification ### 8.1 Liability Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Terms of Service. ### 8.2 Allocation Where both parties are responsible for damage caused by Processing: - Each party shall be liable for its proportionate share of the damage - The parties shall cooperate in good faith to address claims --- ## 9. General Provisions ### 9.1 Governing Law This DPA shall be governed by and construed in accordance with the laws specified in the Terms of Service, without regard to conflicts of law principles. ### 9.2 Amendments (a) Processor may update this DPA from time to time to reflect changes in: - Applicable Data Protection Laws - Our Processing practices - Services functionality (b) Material changes will be communicated via email or through the Services at least 30 days before taking effect. ### 9.3 Conflict In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the Processing of Personal Data. ### 9.4 Severability If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall continue in full force and effect. ### 9.5 Entire Agreement This DPA, together with the Terms of Service and any applicable Order Forms, constitutes the entire agreement between the parties regarding the Processing of Personal Data. --- ## 10. Contact Information **Data Protection Contact:** Simply Asking Privacy Team Email: legal@simplyasking.io **For DPA inquiries:** Email: legal@simplyasking.io **Data Protection Contact:** For data protection inquiries, contact legal@simplyasking.io --- ## Annex A: Technical and Organizational Measures ### A.1 Access Control - Strong authentication required for all administrative access - Role-based access control (RBAC) with principle of least privilege - Unique user accounts for all personnel - Automatic session timeout after inactivity - Access logging and monitoring ### A.2 Encryption - TLS 1.3 for all data in transit - AES-256 encryption for data at rest - Encryption key management with regular rotation - Secure key storage using provider-managed encryption key services - Cryptographically secure random number generation (CSPRNG) for all security-sensitive operations ### A.3 File Security - Antivirus scanning (ClamAV) for all uploaded files before processing - Infected files quarantined and logged via security event tracking - Scanning runs on private infrastructure with no public endpoint exposed ### A.4 Network Security - Firewall protection at network boundaries - Intrusion detection and prevention systems - DDoS mitigation - Content Security Policy (CSP) headers restricting script sources and third-party resources - SSRF prevention blocking requests to private and internal network addresses - CORS origin validation against explicit allowlist (no wildcards) - Regular vulnerability scanning - Penetration testing (planned) ### A.4a Compliance Verification - OWASP Application Security Verification Standard (ASVS) Level 1 compliance: 73/73 controls passed - CASA (Cloud Application Security Assessment) via ESOF AppSec: DAST scanning completed, remediation completed, certification pending final review ### A.5 Physical Security - Data centers with SOC 2 Type II certification - Physical access controls (biometric, key card) - 24/7 surveillance and monitoring - Environmental controls (fire suppression, climate control) ### A.6 Operational Security - Change management procedures - Secure software development lifecycle - Code review requirements - Segregation of production and development environments ### A.7 Incident Response - Documented incident response plan - Infrastructure-level monitoring provided by hosting providers - Defined escalation procedures - Regular incident response reviews ### A.8 Business Continuity - Regular data backups (encrypted) - Geographically distributed backup storage - Disaster recovery plan with defined RTOs and RPOs - Regular backup restoration testing ### A.9 Vendor Management - Security assessment of Sub-processors - Contractual security requirements - Ongoing monitoring of Sub-processor compliance --- ## Annex B: Standard Contractual Clauses For transfers of Personal Data from the EEA to third countries without an adequacy decision, the Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914) are incorporated by reference. **Module Two (Controller to Processor)** applies where: - Customer is the data exporter and Controller - Simply Asking is the data importer and Processor The parties agree that: - Clause 7 (Docking clause): Applies - Clause 9 (Use of sub-processors): Option 2 (General written authorization) with 30-day notice period - Clause 11 (Redress): Optional clause does not apply - Clause 17 (Governing law): Laws of Ireland - Clause 18 (Choice of forum and jurisdiction): Courts of Ireland --- ## Annex C: UK International Data Transfer Addendum For transfers of Personal Data from the UK to third countries, the UK Addendum to the EU Standard Contractual Clauses (as issued by the Information Commissioner under s.119A(1) Data Protection Act 2018) applies. --- _This Data Processing Agreement is provided for informational purposes. Customers requiring a signed DPA should contact legal@simplyasking.io._